Security – Stéphane De Greef

Top 10 Web Application Security Risks

Publié le octobre 7, 2025octobre 9, 2025 par sdgadmin

There are three new categories, four categories with naming and scoping changes, and some consolidation in the Top 10 for 2021.

A01:2021-Broken Access Control moves up from the fifth position; 94% of applications were tested for some form of broken access control. The 34 Common Weakness Enumerations (CWEs) mapped to Broken Access Control had more occurrences in applications than any other category.
A02:2021-Cryptographic Failures shifts up one position to #2, previously known as Sensitive Data Exposure, which was broad symptom rather than a root cause. The renewed focus here is on failures related to cryptography which often leads to sensitive data exposure or system compromise.
A03:2021-Injection slides down to the third position. 94% of the applications were tested for some form of injection, and the 33 CWEs mapped into this category have the second most occurrences in applications. Cross-site Scripting is now part of this category in this edition.
A04:2021-Insecure Design is a new category for 2021, with a focus on risks related to design flaws. If we genuinely want to “move left” as an industry, it calls for more use of threat modeling, secure design patterns and principles, and reference architectures.
A05:2021-Security Misconfiguration moves up from #6 in the previous edition; 90% of applications were tested for some form of misconfiguration. With more shifts into highly configurable software, it’s not surprising to see this category move up. The former category for XML External Entities (XXE) is now part of this category.
A06:2021-Vulnerable and Outdated Components was previously titled Using Components with Known Vulnerabilities and is #2 in the Top 10 community survey, but also had enough data to make the Top 10 via data analysis. This category moves up from #9 in 2017 and is a known issue that we struggle to test and assess risk. It is the only category not to have any Common Vulnerability and Exposures (CVEs) mapped to the included CWEs, so a default exploit and impact weights of 5.0 are factored into their scores.
A07:2021-Identification and Authentication Failures was previously Broken Authentication and is sliding down from the second position, and now includes CWEs that are more related to identification failures. This category is still an integral part of the Top 10, but the increased availability of standardized frameworks seems to be helping.
A08:2021-Software and Data Integrity Failures is a new category for 2021, focusing on making assumptions related to software updates, critical data, and CI/CD pipelines without verifying integrity. One of the highest weighted impacts from Common Vulnerability and Exposures/Common Vulnerability Scoring System (CVE/CVSS) data mapped to the 10 CWEs in this category. Insecure Deserialization from 2017 is now a part of this larger category.
A09:2021-Security Logging and Monitoring Failures was previously Insufficient Logging & Monitoring and is added from the industry survey (#3), moving up from #10 previously. This category is expanded to include more types of failures, is challenging to test for, and isn’t well represented in the CVE/CVSS data. However, failures in this category can directly impact visibility, incident alerting, and forensics.
A10:2021-Server-Side Request Forgery is added from the Top 10 community survey (#1). The data shows a relatively low incidence rate with above average testing coverage, along with above-average ratings for Exploit and Impact potential. This category represents the scenario where the security community members are telling us this is important, even though it’s not illustrated in the data at this time.

DOM-based Extension Clickjacking : Le ciblage invisible des gestionnaires de mots de passe

Publié le août 21, 2025août 21, 2025 par sdgadmin

Contexte technique

Lors de la conférence DEF CON 33, le chercheur en sécurité Marek Tóth a dévoilé une vulnérabilité redoutable affectant les extensions de gestionnaires de mots de passe : le DOM-based Extension Clickjacking, permettant d’exfiltrer des données sensibles par un simple clic utilisateur marektoth.com The Hacker News.

Qu’est-ce que le DOM-based Extension Clickjacking ?

Contrairement aux attaques de clickjacking classiques côté Web (iframes invisibles), cette attaque cible les éléments injectés dans le DOM par une extension (menus d’autoremplissage, pop-ups…). Le script malveillant :

rend ces éléments invisibles via opacity: 0,
capte un clic sur une fausse interface (ex : bannière cookie),
et déclenche l’autoremplissage pour exfiltrer les données marektoth.com heise online The Hacker News.

Résultats des tests – 11 gestionnaires analysés

Statut de la vulnérabilité	Gestionnaires concernés
Corrigés	NordPass, ProtonPass, RoboForm, Dashlane, Keeper marektoth.com Reddit
Toujours vulnérables (au 19–21 août 2025)	Bitwarden, 1Password, iCloud Passwords, Enpass, LastPass, LogMeOnce marektoth.com The Hacker News Socket

Impact estimé : ~40 millions d’utilisateurs actifs marektoth.com The Cyber Express.

Données exfiltrables

Numéros de carte bancaire (numéro, CVV…) → 6/9 cas marektoth.com
Données personnelles (nom, email, adresse…) → 8/10 cas marektoth.com
Identifiants, mots de passe, TOTP → 10/11 cas marektoth.com
Passkeys (authentifications cryptographiques modernes) → exploitables via “signed assertion hijacking” → 8/11 cas marektoth.com

Pourquoi c’est critique

L’attaque est universelle : aucun bug spécifique requis, un simple clic suffit The Cyber Express.
Les protections classiques côté Web ne suffisent pas.
Même des extensions configurées en mode manuel (pas d’autoremplissage automatique) restent vulnérables marektoth.com.
Les passkeys, initialement considérées comme plus sécurisées, peuvent aussi être compromises si les défis côté serveur ne sont pas correctement mis en œuvre marektoth.com The Cyber Express.

Contre-mesures à court terme

Active les mises à jour automatiques de ton navigateur et de ton extension heise online The Hacker News.
Désactive l’autoremplissage ; privilégie le copier-coller.
Pour les navigateurs Chromium, configure l’extension en mode « On click » (accès sur clic uniquement) marektoth.com heise online.
Côté serveur : assure-toi que chaque connexion via passkey inclut un challenge session-bound dynamique, pour éviter le réemploi abusif marektoth.com.

Autofill feature

Password managers have autofill functionality that can be of 2 types:

Automatic autofill – credentials are automatically filled in (0-click)
Manual autofill – user interaction is required to fill in credentials (selecting from a dropdown menu)

My research focuses on clickjacking, so click is required and I was focus only on manual autofill.

On automatic autofill I published research in 2021 (blog).

Browser Extension Clickjacking

Clickjacking vulnerability in browser extensions works similarly to web applications. Through clicking, the user unknowingly performs an action that causes their browser extension to execute malicious activity such as data exfiltration, functionality deactivation, stored note deletion and others.

Browser extension clickjacking can currently be categorized into 2 types:

IFRAME-based – publicly described type (web_accessible_resources)
DOM-based – new described type

I will first describe the IFRAME-based variant, which was not the research focus but may be unknown to many people.

IFRAME-based

A publicly documented clickjacking technique for browser extensions exploits misconfigured web_accessible_resources in the manifest.json file.

manifest.json is the main configuration file of a browser extension. It contains basic information such as the extension’s name, version, and description, as well as settings that define what scripts, icons, and permissions the extension uses. Without this file, the browser cannot recognize or run the extension.

Chromium-based path:
chrome-extension://<extension_ID>/manifest.json

Mozilla Firefox path:
moz-extension://<extension_ID>/manifest.json

Local device path:
%LocalAppData%\Google\Chrome\User Data\Default\Extensions\<extension_ID>\<version>\manifest.json

In the web_accessible_resources part, developers explicitly define files (HTML, scripts, styles, images) that should be accessible from web pages outside the extension interface itself. If developers don’t specify sufficient restrictions, attackers can abuse these resources.

Usage

When files with significant functionality (HTML files) are defined in web_accessible_resources, an attacker can create a page that loads this file into a transparent iframe and tricks users into unknowingly clicking on extension elements.

This uses basically the same principle as web application clickjacking.

Basic usage:

<iframe src="chrome-extension://<extension_ID>/file.html" style="opacity:0"></iframe>

Example

Although this isn’t a new technique and information has been available for several years, some extensions still have this security vulnerability. In this research focused on password managers, one of them had this issue.

In December 2023, I reported this clickjacking vulnerability in the NordPass password manager. Due to incorrect web_accessible_resources definition, it was possible to load the entire password manager UI in an iframe.

With 4 clicks, it was possible to share all items from the password manager to an attacker’s account. The result was that the attacker gained access to all stored passwords, credit cards, and personal data without the user’s knowledge.

https://bbs.archlinux.org/viewtopic.php?id=310168 https://github.com/CachyOS/distribution/issues/245 https://www.reddit.com/r/NixOS/comments/1ogr99v/wireplumber_and_audio_interface_input_issues/

https://www.cpc-power.com/gamebasecpc/index.php?page=full

pour les petites playlist youtube , l'import des meta données telle que , titre , durée , description , résolution…

import playlist youtube : ok , il importe d'abord les miniatures et les liens des vidéos , les méta donnéescomme…

not work with mixxx ~ ❯ mixxx Using preferences ScaleFactor 1 Selected Qt style: "breeze" Loading resources from "/usr/share/mixxx/" Configuration…